TestMCPServerConfigsSecretsNeverLeaked is a load-bearing test that ensures secret fields (OAuth2 client secret, API key value, custom headers) are never present in API responses for any caller. If this test fails, it means a code change accidentally started exposing secrets. See: https://github.com/
(t *testing.T)
| 194 | // test fails, it means a code change accidentally started exposing |
| 195 | // secrets. See: https://github.com/coder/coder/pull/23227#discussion_r2959461109 |
| 196 | func TestMCPServerConfigsSecretsNeverLeaked(t *testing.T) { |
| 197 | t.Parallel() |
| 198 | |
| 199 | ctx := testutil.Context(t, testutil.WaitLong) |
| 200 | adminClient := newMCPClient(t) |
| 201 | firstUser := coderdtest.CreateFirstUser(t, adminClient) |
| 202 | memberClient, _ := coderdtest.CreateAnotherUser(t, adminClient, firstUser.OrganizationID) |
| 203 | |
| 204 | // Create a config with ALL secret fields populated. |
| 205 | created, err := adminClient.CreateMCPServerConfig(ctx, codersdk.CreateMCPServerConfigRequest{ |
| 206 | DisplayName: "Secrets Test", |
| 207 | Slug: "secrets-test", |
| 208 | Transport: "streamable_http", |
| 209 | URL: "https://mcp.example.com/secrets", |
| 210 | AuthType: "oauth2", |
| 211 | OAuth2ClientID: "client-id-secret-test", |
| 212 | OAuth2ClientSecret: "THIS-IS-A-SECRET-VALUE", |
| 213 | OAuth2AuthURL: "https://auth.example.com/authorize", |
| 214 | OAuth2TokenURL: "https://auth.example.com/token", |
| 215 | OAuth2Scopes: "read write", |
| 216 | APIKeyHeader: "X-Api-Key", |
| 217 | APIKeyValue: "THIS-IS-A-SECRET-API-KEY", |
| 218 | CustomHeaders: map[string]string{"X-Custom": "THIS-IS-A-SECRET-HEADER"}, |
| 219 | Availability: "default_on", |
| 220 | Enabled: true, |
| 221 | ToolAllowList: []string{}, |
| 222 | ToolDenyList: []string{}, |
| 223 | }) |
| 224 | require.NoError(t, err) |
| 225 | |
| 226 | // The sentinel values we must never see in any JSON response. |
| 227 | secrets := []string{ |
| 228 | "THIS-IS-A-SECRET-VALUE", |
| 229 | "THIS-IS-A-SECRET-API-KEY", |
| 230 | "THIS-IS-A-SECRET-HEADER", |
| 231 | } |
| 232 | |
| 233 | assertNoSecrets := func(t *testing.T, label string, v interface{}) { |
| 234 | t.Helper() |
| 235 | data, err := json.Marshal(v) |
| 236 | require.NoError(t, err) |
| 237 | jsonStr := string(data) |
| 238 | for _, secret := range secrets { |
| 239 | assert.False(t, strings.Contains(jsonStr, secret), |
| 240 | "%s: JSON response contains secret %q", label, secret) |
| 241 | } |
| 242 | } |
| 243 | |
| 244 | // Verify the create response doesn't leak secrets. |
| 245 | assertNoSecrets(t, "admin create response", created) |
| 246 | |
| 247 | // Verify boolean indicators are set correctly. |
| 248 | require.True(t, created.HasOAuth2Secret, "HasOAuth2Secret should be true") |
| 249 | require.True(t, created.HasAPIKey, "HasAPIKey should be true") |
| 250 | require.True(t, created.HasCustomHeaders, "HasCustomHeaders should be true") |
| 251 | |
| 252 | // Admin list endpoint. |
| 253 | adminConfigs, err := adminClient.MCPServerConfigs(ctx) |
nothing calls this directly
no test coverage detected